South Korea has hit Coupang with a record 624.7 billion won ($409 million) Coupang data breach fine, the largest personal data penalty the country has ever imposed, after a former employee accessed tens of millions of customer accounts undetected for months.
The Personal Information Protection Commission (PIPC) announced the penalty on Coupang Corp., the South Korean entity of the US-listed e-commerce group, on Wednesday.
The fine eclipses the previous record of 134.8 billion won levied against SK Telecom last year.
How the Coupang data breach fine breaks down
Of the total, 423.6 billion won was imposed for leaking personal data and 201.1 billion won for non-consensual data collection, regulators said.
According to Yonhap News Agency, the 423.58 billion won data-leak portion relates to a breach affecting more than 37 million users, while the 201.16 billion won element covers the unauthorised collection of online user activity data.
A separate 248 million won fine was imposed on Coupang Fulfillment Services, the company’s logistics subsidiary, for unlawfully collecting personal information and using it to place individuals on an employment restriction list.
The scale of the penalty is thrown into further relief by a report from the Seoul Economic Daily, which noted the 624.68 billion won total nearly equals Coupang’s entire 2024 operating profit.
Under Korean regulations, the PIPC can impose fines of up to 3% of a company’s annual sales.
Regulator: Coupang’s systems ‘failed to keep pace’
PIPC chairperson Kyung Hee Song said the breach was not the result of sophisticated hacking but of internal failures.
‘This incident was caused not by a sophisticated hacking method, but by Coupang’s inadequate basic safety management system and negligent management,’ she said.
‘The company grew rapidly by using large-scale customer data to deliver innovative e-commerce services, but investigation found that its personal information protection and management systems failed to keep pace.’
Regulators found that a former employee improperly accessed personal information from nearly 34 million accounts, roughly two-thirds of South Korea’s population, without detection for months.
Diplomatic fallout and investor pressure
The affair has strained relations between Seoul and Washington. After the breach came to light, Greenoaks Capital Partners, a major investor in Coupang Inc., urged the US government in January to investigate South Korea over what it alleged was discriminatory treatment of the American-listed company.
South Korean lawmakers have pushed back against what they described as US political pressure over the handling of Coupang and its executives.
Coupang is incorporated in the United States but operates one of South Korea’s most widely used e-commerce platforms.
Coupang’s response and financial impact
The company said it ‘regretted’ the decision, adding it ‘did not fully reflect Coupang’s proactive measures to prevent secondary harm following last year’s data leak.’
‘Once we receive the commission’s formal written decision, we hope the facts will be clearly established through the legal proceedings,’ the company added in a statement.
Under Korean law, Coupang can challenge the ruling in court.
The financial damage has already fed through to the company’s results. Last month, Coupang warned that revenue growth will slow this year after it issued vouchers to customers in response to the breach.
Its shares have shed about 35% since the start of the year.
The legal challenge window opens once the commission delivers its formal written decision to the company.
